diff options
-rw-r--r-- | system/libraries/Encrypt.php | 521 | ||||
-rw-r--r-- | tests/codeigniter/libraries/Encrypt_test.php | 79 | ||||
-rwxr-xr-x | tests/mocks/database/ci_test.sqlite | bin | 19456 -> 19456 bytes | |||
-rw-r--r-- | tests/mocks/libraries/encrypt.php | 16 | ||||
-rw-r--r-- | user_guide_src/source/changelog.rst | 15 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_200.rst | 6 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_220.rst | 13 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_300.rst | 11 | ||||
-rw-r--r-- | user_guide_src/source/installation/upgrade_320.rst | 1 | ||||
-rw-r--r-- | user_guide_src/source/libraries/encrypt.rst | 198 | ||||
-rw-r--r-- | user_guide_src/source/libraries/encryption.rst | 4 |
11 files changed, 24 insertions, 840 deletions
diff --git a/system/libraries/Encrypt.php b/system/libraries/Encrypt.php deleted file mode 100644 index df1af4cf4..000000000 --- a/system/libraries/Encrypt.php +++ /dev/null @@ -1,521 +0,0 @@ -<?php -/** - * CodeIgniter - * - * An open source application development framework for PHP - * - * This content is released under the MIT License (MIT) - * - * Copyright (c) 2014 - 2019, British Columbia Institute of Technology - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - * - * @package CodeIgniter - * @author EllisLab Dev Team - * @copyright Copyright (c) 2008 - 2014, EllisLab, Inc. (https://ellislab.com/) - * @copyright Copyright (c) 2014 - 2019, British Columbia Institute of Technology (https://bcit.ca/) - * @license https://opensource.org/licenses/MIT MIT License - * @link https://codeigniter.com - * @since Version 1.0.0 - * @filesource - */ -defined('BASEPATH') OR exit('No direct script access allowed'); - -/** - * CodeIgniter Encryption Class - * - * Provides two-way keyed encoding using Mcrypt - * - * @package CodeIgniter - * @subpackage Libraries - * @category Libraries - * @author EllisLab Dev Team - * @link https://codeigniter.com/userguide3/libraries/encryption.html - */ -class CI_Encrypt { - - /** - * Reference to the user's encryption key - * - * @var string - */ - public $encryption_key = ''; - - /** - * Type of hash operation - * - * @var string - */ - protected $_hash_type = 'sha1'; - - /** - * Flag for the existence of mcrypt - * - * @var bool - */ - protected $_mcrypt_exists = FALSE; - - /** - * Current cipher to be used with mcrypt - * - * @var string - */ - protected $_mcrypt_cipher; - - /** - * Method for encrypting/decrypting data - * - * @var int - */ - protected $_mcrypt_mode; - - /** - * Initialize Encryption class - * - * @return void - */ - public function __construct() - { - if (($this->_mcrypt_exists = function_exists('mcrypt_encrypt')) === FALSE) - { - show_error('The Encrypt library requires the Mcrypt extension.'); - } - - log_message('info', 'Encrypt Class Initialized'); - } - - // -------------------------------------------------------------------- - - /** - * Fetch the encryption key - * - * Returns it as MD5 in order to have an exact-length 128 bit key. - * Mcrypt is sensitive to keys that are not the correct length - * - * @param string - * @return string - */ - public function get_key($key = '') - { - if ($key === '') - { - if ($this->encryption_key !== '') - { - return $this->encryption_key; - } - - $key = config_item('encryption_key'); - - if ( ! self::strlen($key)) - { - show_error('In order to use the encryption class requires that you set an encryption key in your config file.'); - } - } - - return md5($key); - } - - // -------------------------------------------------------------------- - - /** - * Set the encryption key - * - * @param string - * @return CI_Encrypt - */ - public function set_key($key = '') - { - $this->encryption_key = $key; - return $this; - } - - // -------------------------------------------------------------------- - - /** - * Encode - * - * Encodes the message string using bitwise XOR encoding. - * The key is combined with a random hash, and then it - * too gets converted using XOR. The whole thing is then run - * through mcrypt using the randomized key. The end result - * is a double-encrypted message string that is randomized - * with each call to this function, even if the supplied - * message and key are the same. - * - * @param string the string to encode - * @param string the key - * @return string - */ - public function encode($string, $key = '') - { - return base64_encode($this->mcrypt_encode($string, $this->get_key($key))); - } - - // -------------------------------------------------------------------- - - /** - * Decode - * - * Reverses the above process - * - * @param string - * @param string - * @return string - */ - public function decode($string, $key = '') - { - if (preg_match('/[^a-zA-Z0-9\/\+=]/', $string) OR base64_encode(base64_decode($string)) !== $string) - { - return FALSE; - } - - return $this->mcrypt_decode(base64_decode($string), $this->get_key($key)); - } - - // -------------------------------------------------------------------- - - /** - * Encode from Legacy - * - * Takes an encoded string from the original Encryption class algorithms and - * returns a newly encoded string using the improved method added in 2.0.0 - * This allows for backwards compatibility and a method to transition to the - * new encryption algorithms. - * - * For more details, see https://codeigniter.com/userguide3/installation/upgrade_200.html#encryption - * - * @param string - * @param int (mcrypt mode constant) - * @param string - * @return string - */ - public function encode_from_legacy($string, $legacy_mode = MCRYPT_MODE_ECB, $key = '') - { - if (preg_match('/[^a-zA-Z0-9\/\+=]/', $string)) - { - return FALSE; - } - - // decode it first - // set mode temporarily to what it was when string was encoded with the legacy - // algorithm - typically MCRYPT_MODE_ECB - $current_mode = $this->_get_mode(); - $this->set_mode($legacy_mode); - - $key = $this->get_key($key); - $dec = base64_decode($string); - if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE) - { - $this->set_mode($current_mode); - return FALSE; - } - - $dec = $this->_xor_decode($dec, $key); - - // set the mcrypt mode back to what it should be, typically MCRYPT_MODE_CBC - $this->set_mode($current_mode); - - // and re-encode - return base64_encode($this->mcrypt_encode($dec, $key)); - } - - // -------------------------------------------------------------------- - - /** - * XOR Decode - * - * Takes an encoded string and key as input and generates the - * plain-text original message - * - * @param string - * @param string - * @return string - */ - protected function _xor_decode($string, $key) - { - $string = $this->_xor_merge($string, $key); - - $dec = ''; - for ($i = 0, $l = self::strlen($string); $i < $l; $i++) - { - $dec .= ($string[$i++] ^ $string[$i]); - } - - return $dec; - } - - // -------------------------------------------------------------------- - - /** - * XOR key + string Combiner - * - * Takes a string and key as input and computes the difference using XOR - * - * @param string - * @param string - * @return string - */ - protected function _xor_merge($string, $key) - { - $hash = $this->hash($key); - $str = ''; - - for ($i = 0, $ls = self::strlen($string), $lh = self::strlen($hash); $i < $ls; $i++) - { - $str .= $string[$i] ^ $hash[($i % $lh)]; - } - - return $str; - } - - // -------------------------------------------------------------------- - - /** - * Encrypt using Mcrypt - * - * @param string - * @param string - * @return string - */ - public function mcrypt_encode($data, $key) - { - $init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode()); - $init_vect = mcrypt_create_iv($init_size, MCRYPT_DEV_URANDOM); - return $this->_add_cipher_noise($init_vect.mcrypt_encrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), $key); - } - - // -------------------------------------------------------------------- - - /** - * Decrypt using Mcrypt - * - * @param string - * @param string - * @return string - */ - public function mcrypt_decode($data, $key) - { - $data = $this->_remove_cipher_noise($data, $key); - $init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode()); - - if ($init_size > self::strlen($data)) - { - return FALSE; - } - - $init_vect = self::substr($data, 0, $init_size); - $data = self::substr($data, $init_size); - - return rtrim(mcrypt_decrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), "\0"); - } - - // -------------------------------------------------------------------- - - /** - * Adds permuted noise to the IV + encrypted data to protect - * against Man-in-the-middle attacks on CBC mode ciphers - * http://www.ciphersbyritter.com/GLOSSARY.HTM#IV - * - * @param string - * @param string - * @return string - */ - protected function _add_cipher_noise($data, $key) - { - $key = $this->hash($key); - $str = ''; - - for ($i = 0, $j = 0, $ld = self::strlen($data), $lk = self::strlen($key); $i < $ld; ++$i, ++$j) - { - if ($j >= $lk) - { - $j = 0; - } - - $str .= chr((ord($data[$i]) + ord($key[$j])) % 256); - } - - return $str; - } - - // -------------------------------------------------------------------- - - /** - * Removes permuted noise from the IV + encrypted data, reversing - * _add_cipher_noise() - * - * Function description - * - * @param string $data - * @param string $key - * @return string - */ - protected function _remove_cipher_noise($data, $key) - { - $key = $this->hash($key); - $str = ''; - - for ($i = 0, $j = 0, $ld = self::strlen($data), $lk = self::strlen($key); $i < $ld; ++$i, ++$j) - { - if ($j >= $lk) - { - $j = 0; - } - - $temp = ord($data[$i]) - ord($key[$j]); - - if ($temp < 0) - { - $temp += 256; - } - - $str .= chr($temp); - } - - return $str; - } - - // -------------------------------------------------------------------- - - /** - * Set the Mcrypt Cipher - * - * @param int - * @return CI_Encrypt - */ - public function set_cipher($cipher) - { - $this->_mcrypt_cipher = $cipher; - return $this; - } - - // -------------------------------------------------------------------- - - /** - * Set the Mcrypt Mode - * - * @param int - * @return CI_Encrypt - */ - public function set_mode($mode) - { - $this->_mcrypt_mode = $mode; - return $this; - } - - // -------------------------------------------------------------------- - - /** - * Get Mcrypt cipher Value - * - * @return int - */ - protected function _get_cipher() - { - if ($this->_mcrypt_cipher === NULL) - { - return $this->_mcrypt_cipher = MCRYPT_RIJNDAEL_256; - } - - return $this->_mcrypt_cipher; - } - - // -------------------------------------------------------------------- - - /** - * Get Mcrypt Mode Value - * - * @return int - */ - protected function _get_mode() - { - if ($this->_mcrypt_mode === NULL) - { - return $this->_mcrypt_mode = MCRYPT_MODE_CBC; - } - - return $this->_mcrypt_mode; - } - - // -------------------------------------------------------------------- - - /** - * Set the Hash type - * - * @param string - * @return void - */ - public function set_hash($type = 'sha1') - { - $this->_hash_type = in_array($type, hash_algos()) ? $type : 'sha1'; - } - - // -------------------------------------------------------------------- - - /** - * Hash encode a string - * - * @param string - * @return string - */ - public function hash($str) - { - return hash($this->_hash_type, $str); - } - - // -------------------------------------------------------------------- - - /** - * Byte-safe strlen() - * - * @param string $str - * @return int - */ - protected static function strlen($str) - { - return defined('MB_OVERLOAD_STRING') - ? mb_strlen($str, '8bit') - : strlen($str); - } - - // -------------------------------------------------------------------- - - /** - * Byte-safe substr() - * - * @param string $str - * @param int $start - * @param int $length - * @return string - */ - protected static function substr($str, $start, $length = NULL) - { - if (defined('MB_OVERLOAD_STRING')) - { - // mb_substr($str, $start, null, '8bit') returns an empty - // string on PHP 5.3 - isset($length) OR $length = ($start >= 0 ? self::strlen($str) - $start : -$start); - return mb_substr($str, $start, $length, '8bit'); - } - - return isset($length) - ? substr($str, $start, $length) - : substr($str, $start); - } -} diff --git a/tests/codeigniter/libraries/Encrypt_test.php b/tests/codeigniter/libraries/Encrypt_test.php deleted file mode 100644 index adbca31b2..000000000 --- a/tests/codeigniter/libraries/Encrypt_test.php +++ /dev/null @@ -1,79 +0,0 @@ -<?php -/** - * @requires extension mcrypt - */ -class Encrypt_test extends CI_TestCase { - - public function set_up() - { - if ( ! extension_loaded('mcrypt')) - { - return; - } - elseif (version_compare(PHP_VERSION, '7.1.0-alpha', '>=')) - { - return $this->markTestSkipped('ext/mcrypt is deprecated since PHP 7.1 and will generate notices here.'); - } - - $this->encrypt = new Mock_Libraries_Encrypt(); - $this->ci_instance_var('encrypt', $this->encrypt); - - $this->ci_set_config('encryption_key', "Encryptin'glike@boss!"); - $this->msg = 'My secret message'; - } - - // -------------------------------------------------------------------- - - public function test_encode() - { - $this->assertNotEquals($this->msg, $this->encrypt->encode($this->msg)); - } - - // -------------------------------------------------------------------- - - public function test_decode() - { - $encoded_msg = $this->encrypt->encode($this->msg); - $this->assertEquals($this->msg, $this->encrypt->decode($encoded_msg)); - } - - // -------------------------------------------------------------------- - - public function test_optional_key() - { - $key = 'Ohai!ù0129°03182%HD1892P0'; - $encoded_msg = $this->encrypt->encode($this->msg, $key); - $this->assertEquals($this->msg, $this->encrypt->decode($encoded_msg, $key)); - } - - // -------------------------------------------------------------------- - - public function test_default_cipher() - { - $this->assertEquals('rijndael-256', $this->encrypt->get_cipher()); - } - - // -------------------------------------------------------------------- - - public function test_set_cipher() - { - $this->encrypt->set_cipher(MCRYPT_BLOWFISH); - $this->assertEquals('blowfish', $this->encrypt->get_cipher()); - } - - // -------------------------------------------------------------------- - - public function test_default_mode() - { - $this->assertEquals('cbc', $this->encrypt->get_mode()); - } - - // -------------------------------------------------------------------- - - public function test_set_mode() - { - $this->encrypt->set_mode(MCRYPT_MODE_CFB); - $this->assertEquals('cfb', $this->encrypt->get_mode()); - } - -} diff --git a/tests/mocks/database/ci_test.sqlite b/tests/mocks/database/ci_test.sqlite Binary files differindex 84f09add2..502913725 100755 --- a/tests/mocks/database/ci_test.sqlite +++ b/tests/mocks/database/ci_test.sqlite diff --git a/tests/mocks/libraries/encrypt.php b/tests/mocks/libraries/encrypt.php deleted file mode 100644 index c14d1e02f..000000000 --- a/tests/mocks/libraries/encrypt.php +++ /dev/null @@ -1,16 +0,0 @@ -<?php - -class Mock_Libraries_Encrypt extends CI_Encrypt { - - // Override inaccessible protected method - public function __call($method, $params) - { - if (is_callable(array($this, '_'.$method))) - { - return call_user_func_array(array($this, '_'.$method), $params); - } - - throw new BadMethodCallException('Method '.$method.' was not found'); - } - -} diff --git a/user_guide_src/source/changelog.rst b/user_guide_src/source/changelog.rst index b9a9e2015..5d98e7554 100644 --- a/user_guide_src/source/changelog.rst +++ b/user_guide_src/source/changelog.rst @@ -37,6 +37,7 @@ Release Date: Not Released - Libraries + - Removed previously deprecated *Encrypt Library*. - Removed previously deprecated *Cart Library*. - Removed previously deprecated *Javascript Library* (it was always experimental in the first place). - Removed previously deprecated ``anchor_class`` option from :doc:`Pagination Library <libraries/pagination>`. @@ -368,10 +369,10 @@ Release Date: Mar 20, 2017 - **Security** - Fixed a header injection vulnerability in :doc:`common function <general/common_functions>` :php:func:`set_status_header()` under Apache (thanks to Guillermo Caminer from `Flowgate <https://flowgate.net/>`_). - - Fixed byte-safety issues in :doc:`Encrypt Library <libraries/encrypt>` (DEPRECATED) when ``mbstring.func_overload`` is enabled. + - Fixed byte-safety issues in **Encrypt Library** (DEPRECATED) when ``mbstring.func_overload`` is enabled. - Fixed byte-safety issues in :doc:`Encryption Library <libraries/encryption>` when ``mbstring.func_overload`` is enabled. - Fixed byte-safety issues in :doc:`compatibility functions <general/compatibility_functions>` ``password_hash()``, ``hash_pbkdf2()`` when ``mbstring.func_overload`` is enabled. - - Updated :doc:`Encrypt Library <libraries/encrypt>` (DEPRECATED) to call ``mcrypt_create_iv()`` with ``MCRYPT_DEV_URANDOM``. + - Updated **Encrypt Library** (DEPRECATED) to call ``mcrypt_create_iv()`` with ``MCRYPT_DEV_URANDOM``. - General Changes @@ -1079,9 +1080,9 @@ Release Date: March 30, 2015 - Libraries - - Added a new :doc:`Encryption Library <libraries/encryption>` to replace the old, largely insecure :doc:`Encrypt Library <libraries/encrypt>`. + - Added a new :doc:`Encryption Library <libraries/encryption>` to replace the old, largely insecure **Encrypt Library**. - - :doc:`Encrypt Library <libraries/encrypt>` changes include: + - **Encrypt Library** changes include: - Deprecated the library in favor of the new :doc:`Encryption Library <libraries/encryption>`. - Added support for hashing algorithms other than SHA1 and MD5. @@ -1462,7 +1463,7 @@ Bug fixes for 3.0 - Fixed a bug (#1264) - :doc:`Database Forge <database/forge>` and :doc:`Database Utilities <database/utilities>` didn't update/reset the databases and tables list cache when a table or a database is created, dropped or renamed. - Fixed a bug (#7) - :doc:`Query Builder <database/query_builder>` method ``join()`` only escaped one set of conditions. - Fixed a bug (#1321) - ``CI_Exceptions`` couldn't find the *errors/* directory in some cases. -- Fixed a bug (#1202) - :doc:`Encrypt Library <libraries/encrypt>` ``encode_from_legacy()`` didn't set back the encrypt mode on failure. +- Fixed a bug (#1202) - **Encrypt Library** ``encode_from_legacy()`` didn't set back the encrypt mode on failure. - Fixed a bug (#145) - :doc:`Database Class <database/index>` method ``compile_binds()`` failed when the bind marker was present in a literal string within the query. - Fixed a bug in :doc:`Query Builder <database/query_builder>` method ``protect_identifiers()`` where if passed along with the field names, operators got escaped as well. - Fixed a bug (#10) - :doc:`URI Library <libraries/uri>` internal method ``_detect_uri()`` failed with paths containing a colon. @@ -1632,7 +1633,7 @@ Release Date: June 2, 2014 - General Changes - - Security: :doc:`Encrypt Library <libraries/encrypt>` method ``xor_encode()`` has been removed. The Encrypt Class now requires the Mcrypt extension to be installed. + - Security: **Encrypt Library** method ``xor_encode()`` has been removed. The Encrypt Class now requires the Mcrypt extension to be installed. - Security: The :doc:`Session Library <libraries/sessions>` now uses HMAC authentication instead of a simple MD5 checksum. Bug fixes for 2.2.0 @@ -2241,7 +2242,7 @@ Hg Tag: v2.0.0 - Documented append_output() in the :doc:`Output Class <libraries/output>`. - Documented a second argument in the decode() function for the - :doc:`Encrypt Class <libraries/encrypt>`. + **Encrypt Class**. - Documented db->close(). - Updated the router to support a default route with any number of segments. diff --git a/user_guide_src/source/installation/upgrade_200.rst b/user_guide_src/source/installation/upgrade_200.rst index 03b8ff4ac..96256b13a 100644 --- a/user_guide_src/source/installation/upgrade_200.rst +++ b/user_guide_src/source/installation/upgrade_200.rst @@ -64,9 +64,7 @@ string using the improved methods. This will enable you to easily replace stale encrypted data with fresh in your applications, either on the fly or en masse. -Please read :doc:`how to use this -method <../libraries/encrypt>` in the Encrypt library -documentation. +Please read how to use this in the Encrypt library documentation. Step 5: Remove loading calls for the compatibility helper. ========================================================== @@ -145,4 +143,4 @@ The following files have been changed: The following files have been added: - foreign_chars.php -- profiler.php
\ No newline at end of file +- profiler.php diff --git a/user_guide_src/source/installation/upgrade_220.rst b/user_guide_src/source/installation/upgrade_220.rst index 489dd6312..c87148ca1 100644 --- a/user_guide_src/source/installation/upgrade_220.rst +++ b/user_guide_src/source/installation/upgrade_220.rst @@ -2,12 +2,11 @@ Upgrading from 2.1.4 to 2.2.x ############################# -.. note:: The :doc:`Encrypt Class </libraries/encrypt>` now requires the - Mcrypt extension. If you were previously using the Encrypt Class - without Mcrypt, then this is a breaking change. You must install - the Mcrypt extension in order to upgrade. For information on - installing Mcrypt please see the PHP `documentation - <https://secure.php.net/manual/en/mcrypt.setup.php>`. +.. note:: The **Encrypt Class** now requires the Mcrypt extension. If you + were previously using the Encrypt Class without Mcrypt, then this + is a breaking change. You must install the Mcrypt extension in + order to upgrade. For information on installing Mcrypt please see + the PHP `documentation <https://secure.php.net/manual/en/mcrypt.setup.php>`. Before performing an update you should take your site offline by replacing the index.php file with a static one. @@ -18,4 +17,4 @@ Step 1: Update your CodeIgniter files Replace all files and directories in your "system" folder. .. note:: If you have any custom developed files in these folders please - make copies of them first.
\ No newline at end of file + make copies of them first. diff --git a/user_guide_src/source/installation/upgrade_300.rst b/user_guide_src/source/installation/upgrade_300.rst index 188144844..03a7b579c 100644 --- a/user_guide_src/source/installation/upgrade_300.rst +++ b/user_guide_src/source/installation/upgrade_300.rst @@ -520,7 +520,7 @@ The SHA1 library The previously deprecated SHA1 library has been removed, alter your code to use PHP's native ``sha1()`` function to generate a SHA1 hash. -Additionally, the ``sha1()`` method in the :doc:`Encrypt Library <../libraries/encrypt>` has been removed. +Additionally, the ``sha1()`` method in the **Encrypt Library** has been removed. The EXT constant ================ @@ -541,17 +541,16 @@ Also, the previously deprecated ``js_insert_smiley()`` (since version 1.7.2) is The Encrypt library =================== -Following numerous vulnerability reports, the :doc:`Encrypt Library <../libraries/encrypt>` has -been deprecated and a new, :doc:`Encryption Library <../libraries/encryption>` is added to take -its place. +Following numerous vulnerability reports, the **Encrypt Library** has been deprecated and a +new, :doc:`Encryption Library <../libraries/encryption>` is added to take its place. The new library requires either the `MCrypt extension <https://secure.php.net/mcrypt>`_ (and /dev/urandom availability) or PHP 5.3.3 and the `OpenSSL extension <https://secure.php.net/openssl>`_. While this might be rather inconvenient, it is a requirement that allows us to have properly implemented cryptographic functions. -.. note:: The :doc:`Encrypt Library <../libraries/encrypt>` is still available for the purpose - of keeping backwards compatibility. +.. note:: The **Encrypt Library** is still available for the purpose of keeping + backwards compatibility. .. important:: You are strongly encouraged to switch to the new :doc:`Encryption Library <../libraries/encryption>` as soon as possible! diff --git a/user_guide_src/source/installation/upgrade_320.rst b/user_guide_src/source/installation/upgrade_320.rst index 368871d7d..c70ff707c 100644 --- a/user_guide_src/source/installation/upgrade_320.rst +++ b/user_guide_src/source/installation/upgrade_320.rst @@ -222,6 +222,7 @@ CodeIgniter versions that have been removed in 3.2.0: - ``read_file()`` :doc:`File Helper <../helpers/file_helper>` function (use ``file_get_contents()`` instead) - ``form_prep()`` :doc:`Form Helper <../helpers/form_helper>` function (use :php:func:`html_escape()` instead) +- The entire *Encrypt Library* (the newer :doc:`Encryption Library <../libraries/encryption>` is still available) - The entire *Cart Library* (an archived version is available on GitHub: `bcit-ci/ci3-cart-library <https://github.com/bcit-ci/ci3-cart-library>`_) - The entire *Javascript Library* (it was always experimental in the first place) diff --git a/user_guide_src/source/libraries/encrypt.rst b/user_guide_src/source/libraries/encrypt.rst deleted file mode 100644 index 10893b901..000000000 --- a/user_guide_src/source/libraries/encrypt.rst +++ /dev/null @@ -1,198 +0,0 @@ -############# -Encrypt Class -############# - -The Encrypt Class provides two-way data encryption. It encrypted using -the Mcrypt PHP extension, which is required for the Encrypt Class to run. - -.. important:: This library has been DEPRECATED and is only kept for - backwards compatibility. Please use the new :doc:`Encryption Library - <encryption>`. - -.. contents:: - :local: - -.. raw:: html - - <div class="custom-index container"></div> - -************************* -Using the Encrypt Library -************************* - -Setting your Key -================ - -A *key* is a piece of information that controls the cryptographic -process and permits an encrypted string to be decoded. In fact, the key -you chose will provide the **only** means to decode data that was -encrypted with that key, so not only must you choose the key carefully, -you must never change it if you intend use it for persistent data. - -It goes without saying that you should guard your key carefully. Should -someone gain access to your key, the data will be easily decoded. If -your server is not totally under your control it's impossible to ensure -key security so you may want to think carefully before using it for -anything that requires high security, like storing credit card numbers. - -To take maximum advantage of the encryption algorithm, your key should -be 32 characters in length (256 bits). The key should be as random a -string as you can concoct, with numbers and uppercase and lowercase -letters. Your key should **not** be a simple text string. In order to be -cryptographically secure it needs to be as random as possible. - -Your key can be either stored in your **application/config/config.php**, or -you can design your own storage mechanism and pass the key dynamically -when encoding/decoding. - -To save your key to your **application/config/config.php**, open the file -and set:: - - $config['encryption_key'] = "YOUR KEY"; - -Message Length -============== - -It's important for you to know that the encoded messages the encryption -function generates will be approximately 2.6 times longer than the -original message. For example, if you encrypt the string "my super -secret data", which is 21 characters in length, you'll end up with an -encoded string that is roughly 55 characters (we say "roughly" because -the encoded string length increments in 64 bit clusters, so it's not -exactly linear). Keep this information in mind when selecting your data -storage mechanism. Cookies, for example, can only hold 4K of -information. - -Initializing the Class -====================== - -Like most other classes in CodeIgniter, the Encrypt class is -initialized in your controller using the ``$this->load->library()`` -method:: - - $this->load->library('encrypt'); - -Once loaded, the Encrypt library object will be available using:: - - $this->encrypt - -*************** -Class Reference -*************** - -.. php:class:: CI_Encrypt - - .. php:method:: encode($string[, $key = '']) - - :param string $string: Data to encrypt - :param string $key: Encryption key - :returns: Encrypted string - :rtype: string - - Performs the data encryption and returns it as a string. Example:: - - $msg = 'My secret message'; - - $encrypted_string = $this->encrypt->encode($msg); - - You can optionally pass your encryption key via the second parameter if - you don't want to use the one in your config file:: - - $msg = 'My secret message'; - $key = 'super-secret-key'; - - $encrypted_string = $this->encrypt->encode($msg, $key); - - .. php:method:: decode($string[, $key = '']) - - :param string $string: String to decrypt - :param string $key: Encryption key - :returns: Plain-text string - :rtype: string - - Decrypts an encoded string. Example:: - - $encrypted_string = 'APANtByIGI1BpVXZTJgcsAG8GZl8pdwwa84'; - - $plaintext_string = $this->encrypt->decode($encrypted_string); - - You can optionally pass your encryption key via the second parameter if - you don't want to use the one in your config file:: - - $msg = 'My secret message'; - $key = 'super-secret-key'; - - $encrypted_string = $this->encrypt->decode($msg, $key); - - .. php:method:: set_cipher($cipher) - - :param int $cipher: Valid PHP MCrypt cypher constant - :returns: CI_Encrypt instance (method chaining) - :rtype: CI_Encrypt - - Permits you to set an Mcrypt cipher. By default it uses - ``MCRYPT_RIJNDAEL_256``. Example:: - - $this->encrypt->set_cipher(MCRYPT_BLOWFISH); - - Please visit php.net for a list of `available ciphers <https://secure.php.net/mcrypt>`_. - - If you'd like to manually test whether your server supports MCrypt you - can use:: - - echo extension_loaded('mcrypt') ? 'Yup' : 'Nope'; - - .. php:method:: set_mode($mode) - - :param int $mode: Valid PHP MCrypt mode constant - :returns: CI_Encrypt instance (method chaining) - :rtype: CI_Encrypt - - Permits you to set an Mcrypt mode. By default it uses **MCRYPT_MODE_CBC**. - Example:: - - $this->encrypt->set_mode(MCRYPT_MODE_CFB); - - Please visit php.net for a list of `available modes <https://secure.php.net/mcrypt>`_. - - .. php:method:: encode_from_legacy($string[, $legacy_mode = MCRYPT_MODE_ECB[, $key = '']]) - - :param string $string: String to encrypt - :param int $legacy_mode: Valid PHP MCrypt cipher constant - :param string $key: Encryption key - :returns: Newly encrypted string - :rtype: string - - Enables you to re-encode data that was originally encrypted with - CodeIgniter 1.x to be compatible with the Encrypt library in - CodeIgniter 2.x. It is only necessary to use this method if you have - encrypted data stored permanently such as in a file or database and are - on a server that supports Mcrypt. "Light" use encryption such as - encrypted session data or transitory encrypted flashdata require no - intervention on your part. However, existing encrypted Sessions will be - destroyed since data encrypted prior to 2.x will not be decoded. - - .. important:: - **Why only a method to re-encode the data instead of maintaining legacy - methods for both encoding and decoding?** The algorithms in the - Encrypt library have improved in CodeIgniter 2.x both for performance - and security, and we do not wish to encourage continued use of the older - methods. You can of course extend the Encryption library if you wish and - replace the new methods with the old and retain seamless compatibility - with CodeIgniter 1.x encrypted data, but this a decision that a - developer should make cautiously and deliberately, if at all. - - :: - - $new_data = $this->encrypt->encode_from_legacy($old_encrypted_string); - - ====================== =============== ======================================================================= - Parameter Default Description - ====================== =============== ======================================================================= - **$orig_data** n/a The original encrypted data from CodeIgniter 1.x's Encryption library - **$legacy_mode** MCRYPT_MODE_ECB The Mcrypt mode that was used to generate the original encrypted data. - CodeIgniter 1.x's default was MCRYPT_MODE_ECB, and it will assume that - to be the case unless overridden by this parameter. - **$key** n/a The encryption key. This it typically specified in your config file as - outlined above. - ====================== =============== =======================================================================
\ No newline at end of file diff --git a/user_guide_src/source/libraries/encryption.rst b/user_guide_src/source/libraries/encryption.rst index 833a56c09..643818aa4 100644 --- a/user_guide_src/source/libraries/encryption.rst +++ b/user_guide_src/source/libraries/encryption.rst @@ -280,8 +280,8 @@ Configuring the library ======================= For usability, performance, but also historical reasons tied to our old -:doc:`Encrypt Class <encrypt>`, the Encryption library is designed to -use repeatedly the same driver, encryption cipher, mode and key. +**Encrypt Class**, the Encryption library is designed to use repeatedly +the same driver, encryption cipher, mode and key. As noted in the "Default behavior" section above, this means using an auto-detected driver (OpenSSL has a higher priority), the AES-128 ciper |